How to create a complex rule with system-config-securitylevel?
Deron Meranda
deron.meranda at gmail.com
Thu Dec 2 03:05:09 UTC 2004
On Thu, 2 Dec 2004 09:17:50 +0800, John Summerfield
<debian at herakles.homelinux.org> wrote:
> On Thursday 02 December 2004 08:59, Vinicius wrote:
> > how to create a complex rule with system-config-securitylevel, please?
> >
> > For example, I would like to enable a range of public IP's to access a
The system-config-secureitylevel application is just a front-end to
Red Hat's old Lokkit firewall tool from RHL 8.0. It is only designed
for very simple configurations, as per it's manual:
"You should not try to use GNOME Lokkit to generate complex firewall
rules. It is intended for average users who want to protect themselves
while using a modem, cable, or DSL Internet connection. To configure
specific firewall rules, refer to the Firewalling with iptables chapter in
the Official Red Hat Linux Reference Guide."
That said, it's not all or nothing. You can use the gui to set up the
simple firewall rules that make sense. And then use iptables directly
for your additional complex rules. It's still well worth learning
iptables itself, or use a more complete frontend firewall
configuration tool. But if you need to, the trick is to insert your
custom rules before those created by the lokkit tool. All the rules
that system-config-securitylevel creates are placed into a filter
chain named "RH-Firewall-1-INPUT". Then a single rule is placed in
the main "INPUT" and "FORWARD" chains which points to it; e.g.,
something like,
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state
NEW tcp dpt:ssh
REJECT all -- anywhere anywhere
reject-with icmp-host-prohibited
So say you now want to also add a custom rule that allows TCP inbound
traffic to port 12345 only from IP's in the range 192.168.40.0 through
192.168.40.255. You must INSERT your rule ahead of the one that calls
the RH-Firewall-1-INPUT chain; as,
# iptables -I INPUT 1 -p tcp --dport 12345 -s 192.168.40.0/24 -j ACCEPT
The "1" after the "-I INPUT" says to insert your rule 1st.
Then, to get your custom rule to survive reboots, you need to save it,
# service iptables save
or
# iptables-save >/etc/sysconfig/iptables
That should get you by until you read the iptables documentation or
use a more complex firewall configuration tool.
--
Deron Meranda
More information about the fedora-list
mailing list